In Norse Mythology, Víðarr is a god and son of Odin, whose death it is foretold he will avenge.

Being referred to as “The Silent One” seems to be fitting for this stealer that can loot from browser histories (including the Tor Browser) and cryptocurrency wallets, capture instant messages, and more.

We witnessed a threat actor using the Fallout exploit kit to distribute Vidar. But victims won’t notice that as much, as the secondary and noisier payload being pushed is GandCrab ransomware.

Overview:

A malvertising chain leads us to the Fallout exploit kit followed by what we thought was an Arkei stealer. Upon a closer look, while the sample did share many similarities with Arkei (including network events), it was actually a newer and not yet publicly described piece of malware now identified as Vidar.

Beyond Vidar’s stealer capabilities, we also noticed a secondary payload that was retrieved from Vidar’s own command and control (C2) server.

The infection timeline showed that victim(s) were first infected with Vidar, which tried to extract confidential info before eventually being compromised with the GandCrab ransomware.

Malvertising & Fallout exploit kit:

Torrent/streaming video sites drive a lot of traffic, and their advertising is often aggressive and poorly-regulated.

A malicious actor using a rogue advertising domain is redirecting these site visitors according to their geolocation and provenance to at least two different exploit kits (Fallout EK and GrandSoft EK), although the former is the most active.

Stealers such as AZORult seem to be the a favorite payload here, but we also noticed that Arkei/Vidar was quite common.

In this particular instance, we noticed Vidar being pushed via the Fallout exploit kit.

Vidar:

It should be noted that Vidar is sold as a product, and as such can be distributed by several different threat groups through different campaigns.

Vidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they are interested in.

Beyond the usual credit card numbers and other passwords stored in apps, Vidar can also scrape an impressive selection of virtual wallets.

Upon execution on the system, Vidar will search for any data specified in its profile configuration and immediately send it back to the C2 server via an unencrypted HTTP POST request.

This includes high level system details (specs, running processes, and installed applications) and stats about the victim (IP address, country, city, and ISP) stored in a file called information.txt. This file is packaged along with other stolen data and zipped before being sent back to the C2 server.

GandCrab as a loader:

Vidar also offers to download additional malware via its command and control server.

This is known as the loader feature, and it can be configured within Vidar’s administration panel by adding a direct URL to the payload.

However, not all instances of Vidar will download an additional payload. In that case, the server will send back a response of “ok” instead of a URL.